Search

MECM Cloud Management Gateway (CMG) Virtual Machine Scale Set (VMSS)

As we are all aware Virtual Machine Scale Set (VMSS) was first introduced in version 2010 as a pre-release feature. Starting in version 2107, we all can deploy a CMG with a Virtual Machine Scale Set (VMSS). If you have an existing CMG deployed with the Class Cloud Service, convert the CMG to Use a Virtual Machine Scale Set.


Cost of CMG in Virtual Machine Scale Set:-

  • CMG uses the Azure platform as a Service (PaaS).

  • In version 2103 or earlier, CMG uses a standard A2_v2 VM.

  • In version 2107 or later, we can configure the VM size.

  1. Lab (B2s) -- This VM is only for Lab testing and small environment. It's not for production.

  2. Standard (A2_v2)

  3. Large (A4_v2)

  • We can't change VM size once configured. To change VM size need to redeploy the services.

  • VM instance can support the CMG, one is the default, and 16 is the maximum. This number is set when you create the CMG, but you can change it as service needs.

  • To know the Outbound traffic



Prerequisites:-

  1. Azure Subscription to host CMG.

  2. Integrate the site with Azure AD to deploy the service with the Azure resource manager.

  3. Full Admin rights in Configuration Manager console (Full or Infrastructure Administrator).

  4. Online Service Connection Point must be in Online Mode.

  5. The client Must use IPV4.

  6. At least one on-premises windows server to host the CMG connection point.

  7. Configure the MP to allow traffic from CMG, it requires HTTPS or EHTTP.

  8. Server Authentication certificate for CMG.

Configuration/Operation and Functionality of the CMG:-

  • Other Azure Resource Providers needed to enable click here.

  1. Microsoft.KeyVault

  2. Microsoft.Storage

  3. Microsoft.Network

  4. Microsoft.Compute

  • Virtual Machine Scale Set uses different deployment names mecmtechie.Eastus.Cloudapp.Azure.com, East US Azure region.

  • CMG connection point only communicates with the Virtual Machine Scale Set in Azure over HTTPS. It doesn't require any TCP-TLS ports

Limitations for CMG with Virtual Machine Scale Set:-

  • It doesn't support Azure US Government cloud environments.

  • May experience a delay of up to three seconds for actions in the software center.

  • We can't approve/deny application requests through CMG.



How to Configure Virtual Machine Scale Set:-

  • Sign in to the Azure portal

  • From the portal home page, search for Virtual Machine Scale Set.

  • Select the Virtual Machine Scale Set and Click on Create



  • In the Virtual Machine Scale Set window, provide all basic details like virtual Scale Set name, Region, username and password to connect Virtual machine, OS Image, etc...

  • Select the respective tabs to change the configuration like Disks, networking, Scaling, etc.

  • Once validation is passed and click on Create.

  • Once deployment is completed.


Create and Issue Web Server CMG Virtual Machine Scale Set Certificate


We will create a new custom web server certificate for Virtual Machine Scale Set.

  • Login into Certification Authority server (CA server). Right click on Certificate Templates and select Manage

  • Right click Web server and click the Duplicate template

  • Click on compatibility Tab

  1. Certificate Authority must be Windows Server 2008 or later. (Windows Server 2012 is recommended.)

  2. Certificate recipient must be Windows Vista/Server 2008 or later. (Windows 8/Windows Server 2012 is recommended.)



  • Click the General tab and specify a name to this template.

  • Click Request Handling and ensure Allow private key to be exported is checked.

  • In the Cryptography tab provide the details as mentioned below

  1. Provider Category must be Key Storage Provider. (required)

  2. Algorithm name must be RSA. (required)

  3. Minimum Key size 2048-bit or 4096-bit key length.

  4. Request must use one of the following providers: must be Microsoft Software Key Storage Provider.

  • In Security tab, select required (Enroll)permission.



  • Now right click on certificate template and click New --> Certificate Template to issue

  • Select the Certificate Template and click on OK.

  • Now Import the webserver CMG VMSS certificate on the site server. Open the Certificate Console (certlm.MSC )

  • Personal -->Certificates -->All Task --> Request new Certificate

  • Click on Next



  • From the list of certificates, select MECM CMG Virtual Scale Set Certificate and click on More information is required to enroll for this certificate

  • In certificate properties the subject name, under alternative name select type as DNS and enter Deployment name. So I will enter MECMTechie.eastus.cloudapp.azure.com

  • Click on Ok.

  • Click on Enroll and finish.




  • Select CMG Virtual Machine Scale Set Certificate, right click and click All Task --> export -->


  • Click Next



  • Select option Yes, export the Private Key


  • Select *.PFX format certificate and click on Next


  • Enter Password and click on Next

  • Save the certificate and click Finish.

If you want to configure Server App & Client App click here




Configure Azure Service Importing Server App & Client App in MECM Console.

  • Open the MECM console (Administration --> Azure Services --> Configure Azure services ) and select cloud Management Gateway and select Next



  • Browse WebApp and select the Import option



  • Provide details for Server App/Web App

  1. Azure AD Tenant name - Select Tenant name click here

  2. Azure AD Tenant ID - select Tenant ID from here

  3. Application Name - Select Application from here

  4. client ID - Select Client ID from here

  5. Secret Key - Select Secret Key from here

  6. Secret key expiry -Select Secret Key expiry from here

  7. App ID URI - Select App ID URI from here

  8. Click on verify and click Ok.


  • Browse Native Client App

  • Provide details for Native client App

  1. Application Name - Select application from here

  2. Client ID - select client ID from here

  3. Click on OK


  • Enable AAD User discovery, Next and close


Installing Cloud Management Gateway:-


  • Open MECM Console (Administration --> Cloud services --> Cloud management gateway --> Click on Create cloud management gateway)


  • Select Azure Environment (Azure Public Cloud) and Cloud Service as Virtual Machine Scale Set

  • Provide Certificate and necessary information.


  • Select the option if you want to use it as a cloud distribution point



  • Specify alerts and click on Next and close

  • Make sure status should change to ready state

  • Install Cloud management gateway connection point (MECM Console --> Administration --> site configuration --> servers and site system roles --> select server you want to install role).

Log Information


Create Resource Group:-

11-28-2021 08:13:15.715 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Resource Manager - Initializing... Acquiring access token to resource manager and accessing the subscription~~

11-28-2021 08:13:16.123 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Resource Manager - Initialized~~

11-28-2021 08:13:17.044 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Resource Manager - Creating resource group mecmtechie with location East US~~

11-28-2021 08:13:17.987 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Resource Manager - Resource group mecmtechie created~~

11-28-2021 08:13:17.997 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Acquiring access token to Microsoft graph endpoint ...~~

11-28-2021 08:13:19.426 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Successfully retrieve service principal Id = 5224bb9f-f513-4553-a8c9-fad93fbfc0ca of app b7ba0aa0-6c29-4216-94a2-da71e614a3a9~~


Create needed Azure Resources

  • key Vault:-

11-28-2021 08:13:19.427 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Resource Manager - Creating key vault mecmtechie with deployment CreateKeyVaulta4ee0632-53dd-4e8a-b50c-a4551756dbf6~~

11-28-2021 08:13:23.168 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Resource Manager - Created deployment CreateKeyVaulta4ee0632-53dd-4e8a-b50c-a4551756dbf6~~

11-28-2021 08:13:53.797 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Resource Manager - Deployment CreateKeyVaulta4ee0632-53dd-4e8a-b50c-a4551756dbf6 succeeded~~

  • NSG (network Security Group):-

11-28-2021 08:13:59.435 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Resource Manager - Creating network security group mecmtechie with deployment CreateNetworkSecurityGroup5398212a-4595-4fae-8b16-3cbe97539904~~

11-28-2021 08:14:01.266 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Resource Manager - Created deployment CreateNetworkSecurityGroup5398212a-4595-4fae-8b16-3cbe97539904~~

11-28-2021 08:14:16.674 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Resource Manager - Deployment CreateNetworkSecurityGroup5398212a-4595-4fae-8b16-3cbe97539904 succeeded~~

  • VNET (Virtual Network):-

11-28-2021 08:14:18.119 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Resource Manager - Creating virtual network mecmtechie with deployment CreateVirtualNetworkdc214519-b6ac-4d1a-b73f-fc347a05e73c~~

11-28-2021 08:14:36.106 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Resource Manager - Deployment CreateVirtualNetworkdc214519-b6ac-4d1a-b73f-fc347a05e73c succeeded~~



  • Public IP address:-

11-28-2021 08:14:38.677 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Resource Manager - Creating Public IP Address mecmtechie with deployment CreatePublicIPAddressc254649a-d182-433c-b13e-45002123e1b2~~

11-28-2021 08:14:56.734 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Resource Manager - Deployment CreatePublicIPAddressc254649a-d182-433c-b13e-45002123e1b2 succeeded~~

  • Load Balancer:-

11-28-2021 08:14:59.008 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Resource Manager - Creating load balancer mecmtechie with deployment CreateLoadBalancer0aa1c7cf-2c8d-4a68-82b4-57151de21b8c~~

11-28-2021 08:15:16.200 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Resource Manager - Deployment CreateLoadBalancer0aa1c7cf-2c8d-4a68-82b4-57151de21b8c succeeded~~

  • Storage Service:-

11-28-2021 08:15:19.309 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Resource Manager - Creating storage service mecmtechie with deployment CreateStorageService920c46ee-5953-4972-8d99-26a6a5946216~~

11-28-2021 08:15:51.415 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Resource Manager - Deployment CreateStorageService920c46ee-5953-4972-8d99-26a6a5946216 succeeded~~




Resource Manager


11-28-2021 08:16:13.495 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Resource Manager - Waiting for deployment CreateVMSSa702ea81-55b3-4d53-b213-4fb023d7943c to finish. Will check again in 15 seconds.~~

11-28-2021 08:16:28.707 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Resource Manager - Waiting for deployment CreateVMSSa702ea81-55b3-4d53-b213-4fb023d7943c to finish. Will check again in 15 seconds.~~

11-28-2021 08:16:43.924 SMS_CLOUD_SERVICES_MANAGER 9056 (0x2360) Resource Manager - Waiting for deployment CreateVMSSa702ea81-55b3-4d53-b213-4fb023d7943c to finish. Will check again in 15 seconds.~~


Above is the last step that takes the majority of the time, normally deployment takes about 45 mins.




Logs:-


• Deployments, use CloudMgr.log and CMGSetup.log

• Service health, use CMGService.log and SMS_Cloud_ProxyConnector.log.

• Client traffic, use CMGHttpHandler.log, CMGService.log, and SMS_Cloud_ProxyConnector.log.

531 views0 comments

Recent Posts

See All